The invention relates to routing data to one or more entities in a network.
Communications over data networks may include electronic mail, file access, web browsing, electronic commerce transactions, telephonic communications, video conferencing, and so forth. Networks may include private networks, such as local area networks (LANs) or wide area networks (WANs), and public networks, such as the Internet. Private networks are networks in which access is restricted to authorized users, while public networks are generally accessible.
To prevent unauthorized access of data communicated over either public or private data networks, various security protocols have been implemented to allow for encryption of data and authentication of sources of data. One such security protocol is Internet Protocol Security (IPSec), as described in part by Request for Comments (RFC) 2401, entitled “Security Architecture for the Internet Protocol,” dated November 1998. Using security protocols, secure communications (such as those that are part of electronic commerce transactions, file access, and so forth) may be possible over data networks. For example, a web server may be set up by a business that offers goods or services for sale over public networks. A secure communications session may be established between a user and the web server over the public networks so the user can securely provide his or her private information.
Another application of secure communications is in virtual private networks (VPNs). In some conventional systems, access to private networks from distant locations (such as from branch offices or by remote users) is performed by direct dial-up or by dedicated point-to-point lines to provide secure links. However, direct dial-up and dedicated point-to-point lines are typically more expensive than the alternative of accessing the private network over a public network such as the Internet. To enable secure communications over a public network to one or more private networks, VPNs may be used. A VPN includes a public network as the primary transport medium, with communications protected by a security protocol. By using a VPN, a convenient and cost-effective mechanism is afforded users who desire to remotely access a private network.
Data networks may include Internet Protocol (IP) networks, in which routers may be used to route data packets to appropriate destinations based on addresses contained in the data packets. An IP packet typically includes a source address and a destination address to identify the source and destination of the packet. Different network entities are typically assigned different IP addresses.
However, in some arrangements, multiple entities in a network (particularly a network associated with home or small business users) may share a single IP address. This allows multiple nodes or entities in the network to share an inexpensive Internet access account and also makes network administration more convenient. Further, sharing of IP addresses by multiple nodes alleviates the problem of limited available IP addresses. To enable sharing of a common IP address, a router may include a network address translator (NAT). A NAT operates by modifying the headers of IP packets as they pass through the router so that packets leaving a router to a public network have a common IP address, regardless of which of plural entities in a local network originated the packets. Likewise, when packets are received from the public network by the router, addressed to the single common address, a router determines which of the plural entities in the local network the packet belongs to and modifies the destination address accordingly.
Conventionally, the address translation may be performed by using port numbers contained in the packets to uniquely identify entities in the local network sharing a common address. The port numbers may be those defined by the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP), as examples. By associating a different port number with each of the plural entities in the network, the router can route a packet to the appropriate one of the entities even though a common IP address is used for all of the entities.
Although such many-to-one address translations may be performed for regular IP packets, it may not be possible if the packets are protected according to certain security protocols, such as IPSec. Under IPSec, an Internet Security Association and Key Management Protocol (ISAKMP) defines procedures and packet formats to establish, negotiate, and provide security services between various network entities. Once the desired security services have been negotiated between two entities, traffic may be carried in IP Encapsulating Security Payload (ESP) packets. In packets protected by ISAKMP and ESP, TCP or UDP ports may not be available to uniquely identify plural entities that are associated with a common IP address. Without the ability to differentiate by TCP or UDP ports, a router with a NAT would be unable to identify the target entity in a network when it receives a packet protected by a security protocol (such as ISAKMP or ESP) that includes a shared destination IP address.
A need thus exists for a method and apparatus to allow for network address translation in communications protected by a security protocol.